SOC Analyst 1 (SA1)

SA1 Mission

Entry-level SOC analysts are responsible for monitoring security events, triaging alerts, and conducting initial investigations. They assist in incident response efforts and may perform basic security tasks such as vulnerability scanning and log analysis.

You are responsible for answering these questions for the SOC Team Leader (TL):

  1. What are we vulnerable to that can be exploited?
  2. Who is attacking us?
  3. What are the attackers trying to accomplish?
  4. What are the Indicators of compromise (IOC) that we should expect? How can we detect them?

As a SA1, you need monitor sensors. Then escalate to the Team Leader (TL)

[1] What are we vulnerable to that can be exploited?

For endpoints with utilizing CrowdStrike agents, utilize the Vulnerability Dashboard to track down vulnerable hosts. Remediate.

  1. Log into: Vulnerability Dashboard
CrowdStrike EDR

Check our repositories for vulnerable code

  1. Check snyk.io
  2. Check github.com and check dependabot

[2] Who is attacking us?

Use the WordPress plugins to check the traffic logs. This should provide answers for geolocation, source IP address (and sometimes hostname), HTTP Response code. You can perform Block IP, Run a Whois query, and See Recent Traffic.

  1. Wordfence > Tools > Live Traffic
  2. WP Activity Log > Log Viewer
WordPress plugin, Wordfence’s Live Traffic View

Check the Cloudflare WAF.

  1. Cloudflare > Analytics & Logs > Security
Cloudflare WAF

[3] What are the attackers trying to accomplish?

This may require multiple reviewing output from more than one tool to figure this out. Check the EDR, WAF,

[3a] Are brute force attempts happening?

Checking the rate controls will provide this answer.

  1. Cloudflare > Security > Rate Limiting
Cloudflare WAF Rate Limiting

[3b] What is being targeted?

Check the WAF events to get some insight into what is happening.

  1. Cloudflare > Events > Path
Cloudflare WAF Events

Check the CrowdStrike EDR Firewall Events.

  1. CrowdStrike Falcon > Firewall Events
CrowdStrike EDR Firewall Events

Check the host logs

  1. SSH into the server’s origin IP address, not the domain name. The domain name is only going to connect you into the CDN edge node (e.g. Akamai, Cloudflare, etc.).
  2. cd to var
  3. cd to log
  4. cd to apache2
  5. cat or tail each of these access.log & error.log
Apache access.log file
Apache error.log

Check the syslog file.

syslog file

Check the auth.log file

auth.log file

Use lastlog to see the login’s since the last server restart

lastlog file

Check the kern.log file

kern.log file

[4] What are the indicators of Compromise (IOCs)?

To find indicators of compromise (IoCs) on a local network, there are several methods and tools that can be used. Here are some common ways to identify potential IoCs:

  1. Network Traffic Analysis: Monitor network traffic using network security tools, such as Intrusion Detection Systems (IDS) or Intrusion Prevention Systems (IPS). Look for suspicious or anomalous activities, such as unusual network connections, high data volumes to unexpected destinations, or communication on uncommon ports.
  2. Log Analysis: Review logs from network devices, servers, and applications for any signs of compromise. Look for abnormal login attempts, access to sensitive files or directories, or unusual system activities. Security Information and Event Management (SIEM) tools can assist in centralizing and analyzing logs from various sources.
  3. Endpoint Monitoring: Deploy endpoint protection solutions, such as antivirus or endpoint detection and response (EDR) tools, to monitor activities on individual devices. Look for indicators like the presence of malicious files, unusual processes or behaviors, or changes to system files and configurations.
  4. System File Integrity Monitoring: Implement file integrity monitoring (FIM) tools to detect any unauthorized modifications to critical system files or directories. Monitor changes to system binaries, configuration files, or critical application files that could indicate tampering or compromise.
  5. Network Intrusion Detection/Prevention Systems: Utilize network-based intrusion detection or prevention systems (NIDS/NIPS) to analyze network packets and detect known attack signatures or patterns. These systems can identify suspicious activities like network scans, port scans, or known exploit attempts.
  6. Vulnerability Scanning: Regularly conduct vulnerability scans on systems and network devices to identify any known vulnerabilities that could potentially be exploited. Exploited vulnerabilities can serve as indicators of compromise. Patch or mitigate identified vulnerabilities promptly.
  7. Threat Intelligence Feeds: Subscribe to threat intelligence feeds that provide information about known malicious IPs, domains, URLs, or file hashes. Compare network traffic, logs, or file hashes against these feeds to identify potential IoCs.
  8. Security Incident Response: Establish an incident response plan and team to quickly respond to and investigate potential security incidents. Train team members to recognize and respond to IoCs effectively. Document and analyze incidents to identify any IoCs and improve future response capabilities.

It’s important to note that IoCs can vary depending on the specific threat landscape and attack techniques prevalent at a given time. Staying informed about emerging threats, regularly updating security tools and signatures, and employing a defense-in-depth approach are crucial for effectively detecting and mitigating IoCs on a local network.

  1. OpenDNS – Look for potential C2 commo to known bad actors.
  2. Check Firewall NAT translation tables on NetGear (pfsense+), FortGate, Ubnt Security Gateway
  3. Check netstat -ant on suspected endpoints